WordPress Plugin Vulnerabilities

JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The plugin doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.

Proof of Concept

Affects Plugins

Plugin icon
jh-404-logger
No known fix

References

CVE
CVE-2021-24176

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
Ganesh Bagaria
Submitter
Ganesh Bagaria
Submitter website
https://ganofins.com
Submitter twitter
ganofins
Verified
Yes
WPVDB ID
705bcd6e-6817-4f89-be37-901a767b0585

Timeline

Publicly Published
2021-03-11 (about 4 years ago)
Added
2021-03-11 (about 4 years ago)
Last Updated
2021-03-28 (about 4 years ago)

Other

Published
Title
Published
2025-02-21
Title
.htaccess Login block <= 0.9a - Reflected Cross-Site Scripting
Published
2025-03-28
Title
PostX < 4.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2016-01-30
Title
Anti-Spam <= 4.1 - XSS
Published
2025-07-24
Title
WP Shopify < 1.5.4 - Reflected XSS
Published
2025-03-02
Title
Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS